A new Cisco report highlights shifting patterns in cybercriminal exploits as crooks hone their tools and hone in on you.

The good news? Unsophisticated mass spam exploits are receding. According to the report, daily mass spam volumes dropped by 80%; from 300 billion messages in June 2010 to 40 billion last month. Unfortunately, this is not due to prophecies of eradication through technical solutions being fulfilled, it’s because the financial returns from mass spam/e-mail attacks declined by over 50 percent from $1.1 billion in June 2010 to $500 million in June 2011.

In other words mass spam is an outdated business model and state-of-the-art criminal businesses have adapted to focus on greater returns for their investments.

Today, the real money is in targeted, personalized attacks. The report found that in the last 12 months, spear phishing attacks have increased threefold; personalized scams, malicious and targeted attacks have all risen fourfold, and a good phishing campaign can net at least 10 times the profit of a mass spam attack.

This spam vs. spear phishing table makes it easy to see why targeted attacks carry a much higher return on investment, particularly as law enforcement agencies and large email carriers are coordinating their focus on mass spammers.

Though the costs of spear phishing are estimated to be five times greater per targeted user than a mass attack, cybercriminals are balancing priorities – is it better to infect more users or to keep attacks small enough to avoid notice by security vendors? By targeting high income earners and business users with corporate bank accounts cybercrooks are ensuring they see a stronger return on their lower infection rates. This is why, according to the report, the average value per victim can be 40x that of a mass attack. Balancing this against the greater acquisition cost, the profit from a single spear phishing attack can still be more than 10 times the profit of a mass attack.

Financial Impact to legitimate companies and individuals

Cisco estimates the cost of targeted attacks to organizations to be $1.29 billion annually. This cost is split into three key buckets – the actual financial loss, the cost of remediation, and the cost of repairing the company’s damaged reputation. Cisco calculates that every $1 lost due to infected users, enterprises spend an additional $2.10 for remediation and $6.40 for reputation repair. To learn more see the Cisco Cybercrime Return on Investment Matrix.

The biggest risk of victimization comes through misplaced trust

Criminals have learned that they don’t need to break down the security barriers of a company (or home), they just need to fool one person into trusting them once. One mistake. One person who followed their natural inclination to trust, who was too rushed to take the time to check the facts, or who believed the fake evidence put before them.

“Miscreants are continuing to find new and creative ways to exploit network, system, and even human vulnerabilities to steal information or do damage,” says John N. Stewart, vice president and chief security officer for Cisco. “The challenge is that we need to block their exploits 100% of the time if we are to protect our networks and information. They can be right once; we have to be right all of the time. We need to be ever vigilant in our efforts to protect our assets, information, and ourselves online.”

What this means for protecting yourself and your company

To avoid falling victim to malicious targeted attacks, every computer and smart phone used must have strong, up-to-date security software in place. This should go without saying but unfortunately, the vast majority of personal computing devices remain unprotected or their protection is not up to date.

While this lack of security would seem to only threaten individuals, many employees use their personal computers/phones to perform work tasks at least some of the time thereby exposing their companies through these devices as well. Additionally, it’s critical to understand that security software alone will not protect you, your devices, home network, or workplace from threats you introduce by falling for a criminal’s exploit.

Every user must be trained to identify malicious links, spear phishing scams, dangerous downloads, and suspect connection points. This training has to be so well instilled that family members or employees who are rushed, focused on something else, or in some way distracted, will still make the right choices and avoid the scams. Yet as Stewart pointed out, making the right choice 95% of the time isn’t enough – a 5% failure rate is more than enough wiggle room for a cybercrook. The right choice needs to be made 100% of the time.

What are you doing to train yourself, your family, your employees, or your students?

We can either continue our present course – sticking our heads in the sand and leave our rear ends exposed to whatever exploit comes along, or we can accept the fact that education and skills training are critical components of a secure online environment and fund these initiatives. To fund these initiatives will require more than lip-flapping. Companies who are cutting back on training expenses have to reinvest. Families and individuals have to stop playing pass the buck and take the time to teach themselves, and schools whose budgets have been decimated are going to have to figure out how to teach online safety, security and privacy in a holistic, skills driven manner.

It’s a lot to swallow and requires a unified effort, but the options are even less attractive.